IG: EPA Needs to Address IT Recommendations Valued at $860M

The Environmental Protection Agency (EPA) is leaving millions of dollars on the table and putting sensitive information at risk, according to the agency Inspector General’s (IG) Semiannual Report to Congress. The report, released today, highlights 114 recommendations from the IG that EPA has yet to implement, with the IG saying the monetary benefits of the unimplemented recommendations total $860 million.

The report, which covers October 1, 2017 through March 31, 2018, singles out unimplemented IT recommendations, including IG recommendations for better processes for internal controls for access management, integration and use of cloud services, information security vulnerability programs, and internal controls for applications management.

Access Management

The IG found that EPA did not establish controls to monitor direct access to data within the Compass Financials – the agency’s accounting system–database, according to a 2016 report. The report explained that “Federal requirements indicate that agencies must establish controls to prevent and detect unauthorized access to agency data. The EPA’s OCFO [Office of the Chief Financial Officer] relied on directive controls, and did not establish controls to prevent or detect unauthorized access to the Compass Financials database.” This oversight could have cost the agency $3.5 million if a breach of information in Compass Financials–which houses Personally Identifiable Information belonging to employees and vendors–ever occurred.

In its initial report, the IG recommended that EPA work with the Compass Financials service provider to establish controls for creating and locking administrative accounts, as well as work with the service provider to develop and implement a methodology to monitor accounts with administrative capabilities. Both recommendations have a planned completion date of September 30, 2021.

Integration and Use of Cloud Services

The EPA has two unimplemented cloud services recommendations. In a report from 2015, the IG found that the EPA “is not fully aware of the extent of [the Office of Water’s] use of cloud services, and thereby is missing an opportunity to help make the most efficient use of its limited resources regarding cloud-based acquisitions.”

To correct that, the IG recommended that the agency “develop and implement an approved system authorization package (i.e., a risk assessment, System Security Plan and Authorization to Operate) and perform annual security assessments for the Permit Management Oversight System application” used by the Office of Water. In the initial report, the IG noted that while EPA agreed with its recommendation, the agency didn’t “provided sufficient information to allow us to determine whether their intended actions would satisfy the intent of our recommendations.” The planned completion date for the recommendation was May 31, 2016.

Information Security Vulnerability Programs

The IG found in a 2015 report that EPA personnel with oversight responsibilities for contractor systems weren’t aware of the EPA’s information security procedure requirements–meaning that contractors were not conducting the required annual security assessments, did not provide security assessment results to the agency for review, and did not establish the required incident response capability. This lack of awareness could have come with a hefty price tag had the EPA’s systems been compromised. “Without the required security controls, data breaches costing from $1.4 million to over $12 million could have occurred,” the 2015 report explained.

The IG suggested in 2015 that EPA should implement the recommendation of the agency’s Information Security Task Force to manage the vulnerability management program. That recommendation carried an initial planned completion date of September 30, 2017. However, the planned completion date was extended by one year to September 30, 2018.

Internal Controls for Applications Management

In a 2009 report, the IG raised security concerns regarding how EPA manages access and separation of duties with its Integrated Financial Management System (IFMS).

Regarding managing access to the IFMS, the IG said the “EPA needs to improve internal controls over IFMS users’ accounts to: (a) ensure users cannot process financial transactions that could result in theft of funds, (b) establish user accounts consistent with the authorizing official’s approval, and (c) terminate users’ system access when no longer needed.”

The IG again stressed the possibility for fraud and corruption when discussing the importance of separation of duties. Saying that without well-documented policies in place, a lack of separation of duties “can lead to individuals being able to perpetrate and conceal irregularities,” the IG said in the 2009 report.

While the initial report doesn’t include a planned completion date, the Semiannual Report to Congress lists a planned completion date of December 31, 2018–a full nine years after the recommendation was made.